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Abstract. The paper studies the expressivity, relative succinctness and complexity 
of satisfiability for hybrid extensions of the branching-time logics CTL and CTL+ by 
variables. Previous complexity results show that only fragments with one variable do 
have elementary complexity. It is shown that H^CTL"'" and H^CTL, the hybrid exten- 
sions with one variable of CTL"*" and CTL, respectively, are expressively equivalent but 
H^CTL^ is exponentially more succinct than H^CTL. On the other hand, HCTL"*", 
the hybrid extension of CTL with arbitrarily many variables does not capture CTL*, 
as it even cannot express the simple CTL* property EGFp. The satisfiability problem 
for H^CTL^ is complete for triply exponential time, this remains true for quite weak 
fragments and quite strong extensions of the logic. 

1 Introduction 

Reasoning about trees is at the heart of many fields in computer science , such as verifica- 
tion and semistructured data. A wealth of sometimes quite different frameworks has been 
proposed for this purpose, according to the needs of the respective application. For reasoning 
about computation trees as they occur in verification, branching-time logics like CTL and tree 
automata are two such frameworks. In fact, they are closely related [25]. 
In some settings, the ability to mark a node in a tree and to refer to this node turned out to 
be useful. As neither classical branching-time logics nor tree automata provide this feature, 
many different variations have been considered, including tree automata with pebbles [9,24, 
29], memoryful CTL* [16], branching-time logics with forgettable past [18, 19], and logics with 
the "freeze" operator [14] , the latter ones in the context of data trees [23] . As classical logic 
naturally provides means to refer to a node, namely constants and variables, it is an obvious 
question how these means can be incorporated into branching-time logics without losing their 
desirable properties which made them prevailing in verification [26]. 

This question leads into the field of hybrid logics, where such extensions of temporal logics 
are studied [3]. In particular, a hybrid extension of CTL has been introduced in [29]. 
As usual for branching-time logics, formulas of their hybrid extensions are evaluated at nodes 
of a computation tree, but it is possible to bind a variable to the current node, to evaluate 
formulas relative to the root and to check whether the current node is bound to a variable. 
As an example, the HCTL-formula |x@rootEF(p A EFx) intuitively says "I can place x at the 
current node, jump back to the root, go to a node where p holds and follow some (downward) 
path to reach x again. Or, equivalently: "there was a node fulfilling p in the past of the current 
node". 

In this paper we continue the investigation of hybrid extensions of classical branching-time 
logics started in [29]. The main questions considered are (1) expressivity, (2) complexity of the 
satisfiability problem, and (3) succinctness. Figure 1 shows our results in their context. The 
complexity of the model checking problems will be studied in future work. 

Classical branching-time logics are CTL (with polynomial time model checking and ex- 
ponential time satisfiability) and CTL* (with polynomial space model checking and doubly 
exponential time satisfiability test). As CTL is sometimes not expressive enough^ and CTL* 
is considered too expensive for some applications, there has been an intense investigation of 



^ Some things cannot be expressed at all, some only in a very verbose way. 
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Fig. 1. Expressivity and complexity of satisfiability for hybrid branching-time logics. The lines indicate 
strict inclusion, unrelated logics are incomparable. 



intermediate logics. We take up two of them here: CTL+, where a path formula is a Boolean 
combination of basic path formulas'* and ECTL, where fairness properties can be stated ex- 
plicitly. 

Whereas (even simpler) hybrid logics are undecidable over arbitrary transition systems [1], 
their restriction to trees is decidable via a simple translation to Monadic Second Order logic. 
However, the complexity of the satisfiability problem is high even for simple hybrid temporal 
logics over the frame of natural numbers: nonelementary [10] , even if only two variables are 
allowed [22,29]. The one variable extension of CTL, H^CTL, behaves considerably better, its 
satisfiability problem can be solved in 2EXPTIME [29]. This is the reason why this paper 
concentrates on natural extensions of this complexity-wise relatively modest logic. 
Even H-'^CTL can express properties that are not bisimulation- invariant (e.g., that a certain 
configuration can be reached along two distinct computation paths) and is thus not captured 
by CTL*. In fact, [29] shows that H^CTL captures and is strictly stronger than CTL with 
past, another extension of CTL studied in previous work [15]. One of our main results is that 
H^CTL (and actually even HCTL+) does not capture ECTL (and therefore not CTL*) as 
it cannot express simple fairness properties like EGFp. To this end, we introduce a simple 
Ehrenfeucht-style game (in the spirit of [2]). We show that existence of a winning strategy for 
the second player in the game for a property P implies that P cannot be expressed in HCTL+. 

In [29] it is also shown that the satisfiability problem for H^CTL* has nonelementary 
complexity. We show here that the huge complexity gap between H^CTL and H^CTL* does not 
yet occur between H^CTL and H^CTL"'': we prove that there is only an exponential complexity 
gap between H^CTL and H*CTL+, even when H*CTL+ is extended by past modalities and 
fairness operators. We pinpoint the exact complexity by proving the problem complete for 
3EXPTIME. 

The exponential gap between the complexities for satisfiability of H^CTL and H*CTL+ 
already suggests that H^CTL"*" might be exponentially more succinct than H^CTL. In fact, we 
show an exponential succinctness gap between the two logics by a proof based on the height 
of finite models. This refines the method of [17] based on model size. It should be noted that 
an C'(n)!-succinctness gap between CTL and H^CTL was established in [29]. We mention that 
there are other papers on hybrid logics and hybrid tree logics that do not study expressiveness 
or complexity issue, e.g., [11,21]. 

The paper is organized as follows. Definitions of the logics we use are in Section 2. Expres- 
sivity results are presented in Section 3. The complexity results can be found in Section 4, the 
succinctness results in Section 5. 



Precise definitions can be found in Section 2. 
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2 Definitions 



Tree logics. In this section, we define syntax and semantics of the logics we use. We assume 
the reader is familiar with the tree logics CTL and CTL* [5]. However, we review the definition 

of the syntax and semantics of them next. Formulas of CTL* are composed from state formulas 
if and path formulas tp- They have the following abstract syntax. 

if ::= p I -•(/? I </? V I A I Etp | Atp 
ip ::= If \ -i-ip \ -i/j V -ip \ i/j A ip \ | ipVip 

We use the customary abbreviations Fijj for TU'0 and Gip for —F^ip. 
The semantics of formulas is defined inductively. The semantics of path formulas is defined 
relative to a tree^ T, a path tt of T and a position i > of this path. E.g., T,n,i \= V'iU'02 if 
there is some j > i such that T, tt, j \= -02 and, for each l,i < I < j , T,tt,1 \= tpi- 
The semantics of state formulas is defined relative to a tree T and a node v of T. E.g., 
T,v \= Etjj if there is a path n in T, starting from v such that T,n,0 \= tjj. A state formula 
ip holds in a tree T if it holds in its root. Thus, sets of trees can be defined by CTL* state 
formulas. 

CTL is a strict sub-logic of CTL*. It allows only path formulas of the forms Xip and Lpi\]ip2 
where (f,(pi,(p2 are state formulas. CTL+ is the sub-logic of CTL* where path formulas are 
Boolean combinations of formulas of the forms Xtp and <^iU(p2 and (f,(fi,(f2 are state formulas. 

Hybrid logics. In hybrid logics, a limited use of variables is allowed. For a general introduc- 
tion to hybrid logics we refer to [3] . As mentioned in the introduction, we concentrate in this 
paper on hybrid logic formulas with one variable x. However, as we also discuss logics with 
more variables, we define hybrid logics H'^CTL* with k variables. For c;ac;li A" > 1, the syntax 
of H'^CTL* is defined by extending CTL* with the following rules for state formulas. 

If ::= ixi ip\xi\@xiV\ root | ©root f 

where i G {1, . . . , k}. The semantics is now relative to a vector u = . . . , Uk) of nodes of 

T representing an assignment Xi >—>■ Ui. For a node v and i < k wc write u[i/v] to denote 
. . . , Ui-i,v, Mi+i, . . . , Uk)- For a tree T a node v and a vector m, the semantics of the new 
state formulas is defined as follows. 
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Similarly, the semantics of path formulas is defined relative to a tree T, a path tt of T, a 
position « > of TT and a vector u. E.g., T, ■K,i,u \= Xtp ii T,'K,i + l,u \= ip- 
Intuitively, to evaluate a formula jxj (p one puts a pebble Xi on the current node v and evaluates 
ip. During the evaluation, Xi refers to v (unless it is bound again by another |a;i-quantificr). 

The hybrid logics H'*CTL+ and H'^CTL are obtained by restricting H'^CTL* in the same 
fashion as for CTL+ and CTL, respectively. The logic HCTL is the union of all logics H^'CTL, 
likewise HCTL+ and HCTL*. 

A state formula of a hybrid logic is satisfiable if there exists a tree T with T,r,u \= (p, 
where r is the root of T and w = (r, . . . , r) is a vector of adequate length. In this case we also 

® In general, we consider finite and infinite trees and, correspondingly, finite and infinite paths in 
trees. It should always be clear from the context whether we restrict attention to finite or infinite 
trees. 



3 



say that T is a model of (denoted as T \= (p). A state formula is finitely satis fiable if it 
has a finite model. 

Two path formulas ip and tp' are equivalent (denoted as = tp') if for all trees T, all 
paths w of T and all vectors u of adequate length it holds: T, tt, 0, m \= ip iff T, tt, 0, it |= ?/^'. 
Similarly, two state formulas ip and p' are equivalent (denoted as ip = (p') if for all trees T, 
all nodes and all vectors u of adequate length it holds: T,v,u\=(piST,v,u\=ip'. We say 
that a logic C is at least as expressive as £ (denoted as jC < C) if for every ip G jC there is a 
93' G £' such that p = p' . C and £' have the same expressive power if £ < £' and £' < £. £' 
is strict more expressive than £ if £ < £' but not £' < £. 

Size, depth and succinctness. For each formula p), we define its size \<p\ as usual and its 

depth d{p}) as the nesting depth with respect to path quantifiers. 

It should be remarked that the definition of d{(p) is tailored for the proof of inexpressibility 
with respect to H'^CTL. For general H'^CTL* formulas one would count also the nesting of 
temporal operators. 

The formal notion of succinctness is a bit delicate. We follow the approach of [12] and 
refer to the discussion there. We say that a logic £ is h-succinct in a logic £', for a function 
ft. : N ^ R, if for every formula p in C there is an equivalent formula p' in £' such that 
|<^'| < /i(|(p|). £ is -succinct in £' if £ is ft-succinct in £', for some h in function class J^. We 
say that £ is exponentially more succinct than £' if £ is not /i-succinct in £', for any function 
h e 2°("). 

Normed forms. It will sometimes be convenient to restrict the set of operators that have to 
be considered. To this end, we say that a H^'CTL formula is in E-normal form, if it does not 
use the path quantifier A at all. A formula is in \J -normal form if it only uses the combinations 
EX, EU and AU (but not, e.g., EG and AX). 

Proposition 1. Let k>l. 

(a) For each H'^CTL formula (p there is an equivalent R^CTL -formula in V -normal form and 
the size of tp is linear in the size of (p. 

(b) For each H'^CTL formula ip there is an equivalent li^GTlj-formula in E-normal form. 

Proof, (a) This can be easily shown just as for CTL. Actually, the original definition of CTL 

by Emerson and Clarke [5] used only EX, EU and AU. 
(b) This is straightforward as A(tp\Jx) can cquivalcntly expressed as (-iE(-ix) U(^x A -^ip)) A 

(-iEG->x)- However, it should be noted that the recursive application of this replacement 

rule may result in a formula of exponential size. 

□ 

3 Expressivity of HCTL and HCTL+ 

3.1 The expressive power of HCTL+ compared to HCTL 

Syntactically CTL+ extends CTL by allowing Boolean combinations of path formulas in the 
scope of a path quantifier A or E. Semantically this gives CTL+ the ability to fix a path and test 
its properties by several path formulas. However in [6] it is shown that every CTL"'"-formula 
can be translated to an equivalent CTL-formula. The techniques used there are applicable to 
the hybrid versions of these logics. 

Theorem 2. For every k > 1, H'^CTL has the same expressive power as H''CTL+. 
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Proof. The main difficulty in the translation from CTL+ to CTL can be described as follows: 

In a formula like E[F(^i A ... A F(^„] it is not determined in which order the formulas </?!,...,</?„ 
hold on the path fixed by the quantifier E. In [6] this problem is solved by listing all possible 
orders. For instance the formula tp = E[Fi^i A F(/32] is equivalent to Lp' = EF(i^i A EFi^2) V 
EF((p2 AEFiyJi). The transformation algorithm for CTL+ to CTL in [6] is based on the following 
equivalences of CTL+-formulas^: 

(1) ^Xvj = X-.v3 

(2) -^{ifiUifi') = [{if A -^ip')\]{-^ip A V)] V GV 

(3) E(V' V = El/) V El/)' 

(4) Xifi A Xip' = X(v3 A if') 

(5) Gifi AGifi' = G{ip hp') 

n 

(6) E[/\(^iUv'-) A Xx A G^] = V [f\Pi^^^ f\pi^ EX(x a E(/\(^iU^O A GO)] 

i=l 7C{l,...,n} iel i^I i^I 

n n 

(7) E[/\(^iU^:)AGx]= V [E[(/\^,Ax)U(^;(i)A 

i=l 7vGPerTnutation{{^l, ...,n}) i— 1 

E[( A A x)U(^;(2) A E[( /\ ^iAx)U(^;(3)...U(^;(„)AEGx)...)])])]] 

As explained above in equivalence (7) a disjunction of all possible orders of the formulas 
(f'i is formulated. These equivalences also hold for H'^CTL+. It can easily be shown that the 

occurence of root, ©root, Ix or @^ for a variable x does not destroy any of the equivalences. 
Furthermore, as already indicated, if a formula on the right or the left side of one of the 
equivalences is in the scope of J.x then the node to which x is assigned is (up to a new J.x) 
unique which means that x can be treated like a usual proposition. Altogether the translation 
algorithm for CTL"*" to CTL presented in [6] also gives a translation algorithm from Il'^CTL+ to 
H'^CTL for every fc > 1. In [6] it is noticed that the factorial blowup introduced by equivalence 
(7) is the worst blowup in the whole transformation process and since n! = 2'-'*^"' '"^ the 
transformation of a formula tp results in a formula of length 2'^(" ") . □ 

The transformation algorithm in Theorem 2 also yields an upper bound for the succinctness 
between HiCTL+ and RiCTL. 

Corollary 3. HiCTL+ is 2'^ ("-'^"^''^ -succinct in RiCTL. 

3.2 Fairness is not expressible in HCTL+. 

In this subsection, we show the following result. 

oo 

Theorem 4. There is no formula in HCTL"*" which is logically equivalent to EFp. 

oo 

Here, T,v,u \= EFi/? if there is a path tt starting from v that has infinitely many nodes w' 
with T,v',u \= (p. As an immediate consequence of this theorem, HCTL+ does not capture 
CTL*. 

In order to prove Theorem 4, we define an Ehrenfeucht-style game that corresponds to the 
expressive power of HCTL. A game for a difi'erent hybrid logic was studied in [2]. We show 
that if a set L of trees can be characterized by a HCTL-formula, the spoiler has a winning 
strategy in the game for L. We expect the converse to be true as well but do not attempt to 
prove it as it is not needed for our purposes here. 

Let 1/ be a set of (finite or infinite) trees. The HCTL-^ame for L is played by two players, 
the spoiler and the duplicator. First, the spoiler picks a number k which will be the number 

® In [6] and its journal version [7] there are some slight inaccuracies in the equivalences. Here we list 

the corrected ones. 
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of rounds in the core game. Afterwards, the duplicator chooses two trees, T £ L and T' ^ L. 
The goal of the spoiler is to make use of the difference between T and T' in the core game. 

The core game consists of k rounds of moves, where in each round i a node from T and 
a node from T' are selected according to the following rules. The spoiler can choose whether 
she starts her move in T or in T' and whether she plays a node move or a path move. 

In a node move she simply picks a node from T (or T') and the duplicator picks a node 
in the other tree. We refer to these two nodes by Ui (in T) and a- (in T'), respectively, where 
i is the number of the roimd. 

In a path m,ove, the spoiler first chooses one of the trees. Let us assume she chooses T, the 
case of T' is completely analogous. She picks an already selected node aj of T, for some j < i 
and a path tt starting in aj. However, a node aj can only be selected if there is no other node 
ai, I < i below aj. The duplicator answers by selecting a path tt' from a'j. Then, the spoiler 
selects some node a'^ from tt' and the duplicator selects a node ai from tt. 

The duplicator wins the game if at the end the following conditions hold, for every i, j < k: 

— Oi is the root iff a- is the root; 

— ai = Oj iff a'^ = a'p 

— for every proposition p, p holds in ai iff it holds in a^; 

— there is a (downward) path from to aj iff there is a path from a[ to a'j ; 

— Oj is a child of iff a'j is a child of a'^. 

Theorem 5. // a set L of (finite and infinite) trees can he characterized by a HCTh-formula, 

the spoiler has a winning strategy on the HCTL- game for L. 

Proof. Let L be a set of trees and ip € HCTL such that, for every tree T, T is in L if and 
only ifT \= (p. We show that the spoiler has a winning strategy with k^p rounds in the game 
for L, where k^ only depends on ip. 

The proof is by induction on the structure of (p. As usual, we have to prove a slightly 
stronger statement for the induction step. We show that, for every HCTL- formula p with 
variables from Xi := {xi, . . . , xi}, there is k^ such that, for trees T, T', nodes v from T and 
v' from T' and node vectors u and u' , the spoiler has a winning strategy in the fc^-round core 
game on (T, v, u) and (T', v', u') if T,v,u \= ip and T', v', u' ^ ip. 

Thus, the proof uses a slightly extended game, in which the duplicator docs not only choose 
T and T' but also nodes v,v' and node vectors u,u' . The game starts in a situation where 
nodes ao := v and ai := Ui, iov 1 < i < I are already selected in T and correspondingly in 
T' . In the remaining k rounds aj+i, . . . , ai^k and a;_,_j, . . . , a'i_^f, are selected and the winning 
condition applies to ao, . . . , ai+k and Oq, . . . , a;_|_^. 

It is easy to see that the theorem follows from this extended statement. 

If p is atomic, it can only test propositional properties of v and hence the spoiler wins the 
game by choosing k^ = Q. 

The rest of the proof is by case distinction on the outermost operator or quantifier of p>. 

— 1{ ip = -1^, the spoiler has a winning strategy for if) by the hypothesis. She can simply 
follow that winning strategy whilst switching the roles of T and T' . In particular, k^p = k^. 

— If p> = tjjVx the spoiler chooses k^ = ma,x{k^,k^). In the core game she either follows the 
winning strategy for tp or for % depending on whether T,v,u \= ip ot T,v,u \= X- 

— The case that p = ijj A x analogous to the previous one. 

— If (p = EXip the spoiler chooses k^ = k^ + 1. Let T,v,u,T' ,v' ,u' be selected by the 
duplicator. As T,v,u \= (p there is a child w of u such that T,w,u \= ip- On the other 

hand, there is no child w' of v' with T', w' , u' \= ip. Thus, the spoiler can select a;+i := w 
and win the remaining k^ rounds no matter which child of v' is chosen by the duplicator. 
She simply mimics the strategy of the game for ip on (T, aj+i, m) and (T', aj+i, u'). If the 
duplicator does not choose a child of v' the spoiler wins instantly. 

— As AXtp = -lEX-i-i/;, the case of (p = AXtp is already covered by the previous cases. 
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— If 1^ = E{'tp'Ux) the spoiler chooses = max(fc^ + 2,k^ + 1). Let T,v,u,T' ,v' ,u' be 
selected by the duplicator. As T,v,u \= E(^Ux), there is sonic node w below v such that 
T,w,u \= X and, for each node z on the path from to w it holds T,z,u \= tp. The spoiler 
does a node move in T and selects a;+i = w. 

Let w' be the node selected by the duplicator. As T',v',u' y= Lp. wc can conclude that 
T ,w' ,u' y= X or, for some z' on the path from v' to w' , T',z',u' ^ -0. In the former 
case, the game continues, in the latter case she selects Vi_^2 — ^' ■ either case, she has a 
winning strategy for the remaining max(fc^, fc^) rounds by induction. 

— If 1^ = A(-0Ux), is equivalent to (fi A (f2 where ipi = -lEG-ix and Lp2 ~ -iE((-ix)U(-i'0 A 
-ix)). The spoiler chooses k^p = max(fc^, k^) + 2. 

Let T, V, u, T', v', u' be selected by the duplicator. If T', v', u' y= (^2 the winning strategy 
of the spoiler is already given by the previous cases. Otherwise, T',w',m' \= EG-i^. Let 
p' be a path starting from v' such that T', p', |= G-iX- Let w' be the first node on this 
path for which none of the nodes a'^, . . . , o; is below w' . The spoiler selects w' in a node 
move. Let w be the node selected by the duplicator. If there is a node z on the path from 
V to w such that T^z,u ^ Xi the spoiler chooses z in a subsequent node move and wins 
by induction as there is no corresponding node between v' and w' . Otherwise she makes a 
path move in which she first selects the sub-path tt' of p' starting in w' . Let tt be a path in 
T starting from w as selected by the duplicator. As T,w,u \= ipi, there is a node z on tt 
such that T,z,u |= x- The spoiler selects this node as ai+i and, as the duplicator cannot 
find such a node on tt' wins by induction. 

— If (,5 = ixitp, for some i, the spoiler simply chooses k^p = k^. After the selection of 
T, M, T', v\ u' by the duplicator she mimics the game for ip on the structures (T, 

and {T',v',u'[i/v']). 

— If = ©xiV") for some i, the spoiler mimics the game on {T,Ui,u) and (T',u^,u'). 

□ 

Now we turn to the proof of Thm. 4. It makes use of the following lemma which is easy 
to prove using standard techniques (see, e.g., [20]). The lemma will be used to show that the 
duplicator has certain move options on paths starting from the root. The parameter Sk given 
by the lemma will be used below for the construction of the structures Bk- 

For a string s G E* and a symbol a G E let \s\ denote the length of s and \s\a the number 
of occurrences of a in s. 

Lemma 6. For each k > there is a number Sk > such that, for each s G {0, 1}* there is 
an s' e {0, 1}* such that \s'\ < Sk and s =k s' . 

Here, =k is equivalence with respect to the fc-round Ehrenfeucht game on strings (or equiva- 
lently with respect to first-order sentences of quantifier depth k). It should be noted that, if 
A; > 3 and s =k s', then the following conditions hold. 

— s G {0}* implies s' G {0}*. 

— If the first symbol of s is 1 the same holds for s'. 

— If s does not have consecutive I's, s' does not either. 

We fix some Sk, for each k. 

The proof of Thm. 4 uses the HCTL-game defined above. Remember that the spoiler opens 
the game with the choice of a G N and the duplicator responds with two trees T G L and 
T' ^ L. We want to show that the duplicator has a winning strategy so wc need to construct 
such trees, and then need to show that the duplicator has a winning strategy for the A:-round 
core game on T and T'. 

Wc will use transition systems in order to finitely represent infinite trees. A transition 
system is a /C = {V, E, vo,£) where {V, E) is a directed graph, G V, and ^ labels each state 
V gV with a finite set of propositions. The unraveling T{JC) is a tree with node set and 
root wq- a node • • • Vn-iVn is a child of t;o • • • Vn-i iff (t^n-i, t^n) G E. Finally, the label of a 
node vq . . .Vn is £{vn)- 
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Inspired by [8] we define transition systems Ai, for each i > 0, as depicted in Fig. 2 (a). 
Nodes in which p holds arc depicted black, the others are white (and we subsequently refer to 
them as black and white nodes, respectively). • 

(a) (b) 

Fig. 2. Illustration of the definition of (a) Ak and (b) Bk- The path of white nodes in Bk consists of 
Sk nodes. The double arrow => indicates that every white node on the left is connected to every black 
node on the right. 

Thus, ^0 has a black (root) node and a white node with a cycle. Ai has a black (root) 
node, a white node with a cycle and a copy of Ai-i- Furthermore, there is an edge from the 
white node below the root of Ai to each black node in the copy of Ai-i (as indicated by 
^). Let % := T{Ai). We first introduce some notation and state some simple observations 

concerning the tree 

(1) For a node w in 7^ wc denote the maximum number of black nodes on a path starting in 
V (and not counting v itself) the height h(v) of v. Then the root of % has height i. 

(2) If u and v are black nodes of some % with h{u) = h{v) then the subtrees T{u) and T{v) 
induced by u and v are isomorphic. 

(3) The height of a tree is defined as the height of its root. 

(4) A white node v of height i has one white child (of height i) and i black children of heights 
0, . . . , z — 1. A black node has exactly one white son. 

(5) Each finite path ty of % induces a string s(7r) G {0, 1}* in a natural way: s(7r) has one 
position, for each node of tt, carrying a 1 iff the corresponding node is black. 

(6) The root of % has only one child. We call the subtree induced by this (white!) child Ui. If 
t; is a white node of height i then T{v) is isomorphic to Ui. 

Next we define numbers N). inductively as follows: A^o '■= and A^^ := Afc_i +max(S'3, Sk) + 1. 

The following lemma shows that the duplicator has a winning strategy in two structures 
of the same kind, provided they both have sufficient depth. 

Lemma 7. Let i,j,k be numbers such that i,j > Nk- Then the duplicator has a winning 

strategy in the k-round core game on 

(a) % and Tj, and 

(b) Ui and Uj. 

Proof of Lemma 7. The proof is by induction on k, the case k = being trivial. Thus, let 
k > 0. We first show (a). Let us assume first that the spoiler makes a node move in 7^ on u 
(node moves in Tj are symmetric). We distinguish two cases depending on the height of v. In 
both cases let r, r' be the roots of % and Tj respectively. 

Case h{v) > Nk~i- Let tt denote the path from r to v. By Lemma 6 there is a string s' 
with \s'\ < Si such that s(7r) =/ s', where I = max(A:, 3). As j > Nk = Nk^i + 5*; + 1, there is 
a node v' of height > Nk-i in Tj such that the path'^ tt' from r' to v' satifies s(7r') = s'. The 
duplicator chooses v' as her answer in this round. We have to show that she has a winning 
strategy for the remaining k — 1 rounds. Her strategy is a composition of the following three 
strategies for different parts of the trees. ^ 

It should be noted that I > 3 guarantees in particulax that s' does not have consecutive I's. 
* By a standard argument the different strategies can be combined into a strategy on T and T' 

(see again [20]). It is helpful here that path moves only involve paths that are below all previously 
selected nodes. Hence, a path move always only affects one of the sub-games. 
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(i) If the spoiler does a (node or path) move in T{v) or T{v') the duphcator can reply 
according to her winning strategy in the {k — l)-round game in these two trees which is 
guaranteed by induction as both have height > A^fe-i- 

(ii) If the spoiler chooses a node on tt or w' then the duplicator answers following her strategy 
in the fc-round Ehrenfeucht game on the strings s(7r) and s{tt'). 

(iii) The remaining (and most complicated) sub-strategy concerns moves elsewhere in % (the 
case of a move elsewhere in TJ is again symmetric). Let w be a node chosen by the spoiler 
(in a node move or as the starting node of a path). Let y be the last node of tt on the 
path p from r to w. Node y has two different successors - namely one on tt and one on 
p, hence it must be white by fact (4) above. Let z be its successor on p. Let y' be the 
node corresponding to y on tt' as induced by the winning strategy of the duplicator on 
s(7r) and s(7r'). 

— li z has height < A^fe_i let z' be the unique (black!)^ child of y' of the same height as 
z. By fact (2) above, T{z) and T(z') are isomorphic and the duplicator has a winning 
strategy in these two subtrees induced by an isomorphism. 

— li z has height > Nk-i let z' be some child of y' (of the same color as z, not on tt', 
and with height > Nk-i- (Note that z and z' can be both black or both white). By 
induction the duplicator has a winning strategy on T{z) and T{z'). 

Case h{v) < N^-i- Let tt be the path from r to v, and Ui be the highest black node on tt with 
h{ui) < Nk-i- Then we must have h{ui) = Nk-i because tt contains black nodes of height up 
to i > Nk- Hence, ui has a white parent U2 s.t. h{u2) > Nk-i- We determine a node u'2 in T' 
in the same way we picked v' for v in the first case. In particular, h{u2) > N^-i and for the 
paths p leading from r to U2 and p' leading from r' to u'2 we have s{p) =k s{p'). 

Let u[ be the black child of U2 of height h{ui). As h{ui) = h{u'i) there is an isomorphism 
a between T{ui) and T(u2) and we choose v' := (t{v). An illustration is given in Figure 3. 

The winning strategy of the duplicator for the remaining k — 1 rounds follows a on T{ui) 
and T{u2) and is analogous to the first case in the rest of the trees. 

Next, we assume that the first move of the spoiler is a path move in T (path moves in 

T' are again symmetric). 

Let TT be the path chosen by the spoiler. Let v be the lowest black node of tt. Let v' be 
the node chosen by the duplicator had the spoiler selected v in a. node move and let tt' be the 
path from r' to v' extended by the unique infinite white path below v'. We can distinguish 
the same two cases as for node moves. 

If the node a' selected by the spoiler on n' is from T{v') (in case 1) or from T{u'i) (in 
case 2), the duplicator can choose a corresponding node a by the isomorphism. Otherwise, 
the duplicator replies by the node a of p induced by the fc-round (!) winning strategy of the 
duplicator on s{p) and s{p'). 

This completes the inductive step for (a). 

For (b) the proof is completely analogous. This completes the proof of the lemma. 

□ 

We are now prepared to prove Thm. 4. 

Proof of Theorem 4. By Theorem 2 it is sufficient to show that no formula equivalent to 

00 

EFp exists in HCTL. To this end, we prove that the duplicator has a winning strategy in the 

00 

HCTL-game for the set of trees fulfilling EFp. 

We next define transition systems Bk, for A: > 0. As illustrated in Figure 2 (b), Bk has a 
black root from which a path of length Sk of white nodes starts. The last of these white nodes 
has a self-loop and an edge back to the root. Furthermore, Bk has a copy of An^ finfl there is 
an edge from each white node of the initial path to each black node of the copy of ^jv^ • 

® z must be black as all nodes on tt have height > Nk-i and only black nodes may have a smaller 
height than their parent. 
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Fig. 3. Illustration of the case where h{v) < N^-i. The colors of v and v' are not known a priori. 

oc oo 

Clearly, for each fc, Bk \= EFp and Ak ^ EFp. 

We show in the remainder of the proof that, for each fc, the duplicator has a winning 
strategy in the fc-round core game on T = T{Bk) and T' — T{ANk)- 

We call the nodes of T induced by the extra nodes that Bk has over ^jv^ extra nodes. 

The proof is again by induction on k and it is very similar to the proof of Lemma 7. The 
case A; = is again trivial. 

A node move w in T is answered just as it was in the proof of the lemma. The duplicator 
then wins by induction. Likewise node moves v' in T' are answered as in the proof of the 
lemma and (besides the root) no special black node of T is involved. 

It remains to deal with path moves. Path moves starting in T' can be handled as in the 
proof of the lemma. Likewise path moves starting in T with a path tt of finitely many black 
nodes can be handled along the same lines. 

The only real new case is when the spoiler chooses a path tt in T that has infinitely many 
black nodes. The duplicator answers by choosing the unique path tt' of T' starting from r' 
that only consists of white nodes. Let v' be a node of tt' that is chosen by the spoiler. By 
(the remark after) Lemma 6, there is a string s of < S'fe zeros such that s =k s(p')i where 
p' is the path from r' to v'. The duplicator thus picks the node v on n such that s{p) = s, 
where p denotes the path from r to v. Note that by construction, the initial white path of 
T is long enough to guarantee the existence of such a node v. That the duplicator has a 
winning strategy for the remaining k — 1 rounds can be shown along the same lines as before. 
Subsequent choices of paths with infinitely many black nodes are answered by paths with one 
black node and infinitely many white ones. □ 

4 Satisfiability of HiCTL+ 

Theorem 8. Satisfiability of'H.^CTL+ is hard for SEXFTIME. 

Proof. The proof is by reduction from a tiling game (with 3EXPTIME complexity) to the 

satisfiability problem of H^CTL+. Actually we show that the lower bound even holds for the 
fragment of H^CTL+ without the U-operator (but with the F-operator instead). 

An instance / = {T, H,V, F, L,n) of the 2EXP-corridor tiling game consists of a finite 
set T of tile types, two relations H,V C T x T which constitute the horizontal and vertical 
constraints, respectively, two sets F,LCT which describe the starting and end conditions, 
respectively, and a number n given in unary. The game is played by two players, E and A, on 
a board consisting of 2^" columns and (potentially) infinitely many rows. Starting with player 
E and following the constraints H, V and F the players put tiles to the board consecutively 
from left to right and row by row. The constraints prescribe the following conditions: 

— A tile f/ can only be placed immediately to the right of a tile t if {t, t') G H. 

— A tile t' can only be placed immediately above a tile t if {t,t') G V. 

— The types of all tiles in the first row belong to the set F. 

Player E wins the game if a row is completed containing only tiles from L or if ^ makes a 
move that violates the constraints. On the other hand, player A wins if E makes a forbidden 
move or the game goes on ad infinitum. 
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A winning strategy for E has to yield a countermove for all possible moves of A in all pos- 
sible reachable situations. Furthermore, the starting condition and the horizontal and vertical 
constraints have to be respected. Finally, the winning strategy must guarantee that either 
player A comes into a situation where he can no longer make an allowed move or a row with 
tiles from L is completed. 

The problem to decide for an instance / whether player E has a winning strategy on / is 
complete for 3EXPTIME. This follows by a straightforward extension of [4]. 

Now wc show in full detail how to build a formula (pj of length Od/j • |r|) from an instance 
/ with tile set T of the 2EXP-corridor tiling game such that (fi is satisfiable if and only if 
player E has a winning strategy in the game for /. In fact, a tree will satisfy (fi if and only if 
it encodes a winning strategy of player E. Here, the encoding tree represents all possible plays 
(for the various moves of player A) for a fixed (and winning) strategy of player E. 

Encoding of the winning strategy for player E. Wc encode strategics for player E as T-labclcd 
trees in which each move is represented by a sequence of nodes (see Figure 5). The first move 
of player E is represented by a sequence starting at the root. Each sequence corresponding 
to a move of E is followed by several branches, one for every possible next move of A. Each 
sequence corresponding to a move of A is followed by one sequence of nodes corresponding to 
the move of player E following the strategy. It is clear that such a tree represents a winning 
strategy if every root path corresponds to a sequence of moves resulting in a win for player E. 

In the encoding wc use the propositions {pos^, poSg,bo, ...,bn-i, roWe, roWo,b, o, c, (jj} U 
{pt \ t E T} . Ill order to be able to describe the constraints via a H^CTL^-formula of polyno- 
mial length we serially number all positions of a row of the board in the style of [27]. While in 
[27] a row^" consists of 2" positions we have to deal with 2^ positions in the current proof. We 
encode each position by a sequence of 2" nodes, each of which we call position bits. For each 
of these nodes the propositions bo, 6„_i encode a binary number. Each position bit in turn 
represents one bit of a binary number of length 2" via proposition b^^. Each such sequence is 
preceded by a position node which holds sonic additional information that will be described 
later. We call a sequence of length 2" + 1 representing one position of the tiling a position 
sequence. In each position bit of a position sequence proposition pt holds for the tiling type t 
of its tile. A row is represented by 2^ position sequences preceded by a row node. Altogether, 
a row is represented by a row sequence consisting of (2" + 1)2^" + 1 nodes. 

For technical reasons, each position node of an even (odd) position is marked using the 
proposition pos^,, [pos^, respectively). Likewise, the row nodes of even (odd) rows are marked 
using rowe {roWo). It is worth noting that the tree branches only^^ after position nodes in 
which poSg holds as the odd positions are tiled by A. 

To compare two nodes of a path that are far apart we use a technique that was originally 
invented in [27] and was also applied in [13]. To this end, we use two kinds of nodes: original 
nodes which are labelled with the proposition o and copy nodes labelled with the proposition 
c. For the encoding of the winning strategy only the original nodes are relevant. Each original 
node has a copy node with identical propositions (except for the proposition o) as a child. 
Likewise, each copy node has only copy nodes with identical propositions as children (sec 
Figure 4). Copy nodes will enable us to "mark" an original node v by fixing a path tt through 
V and its copy node child. Since copy nodes carry the propositions of their parent original 
nodes, assertions about an original node can be tested in any of their subsequent copy nodes. 

Proposition is used to label the part of the tree which does not belong to the encoding 
of the winning strategy. 

^" Actually, the proof in [27] uses alternating Turing machines and thus encodes configurations rather 
than rows. 

'^'^ It should be noted that the lowest bit of this binary number is represented by the position bit with 
the highest number. 

After the modification in the next paragraph, this statement only holds with respect to original 
nodes. 
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Testing vertical constraints. The most difficult condition to test is that a tree respects the 
vertical constraints. Thus, we have to check the following condition: For every row, except 
the first one, the tile of every position is consistent with the tile of the corresponding position 
in the previous row. 

To this end, we have to compare two position sequences representing corresponding posi- 
tions in consecutive rows. Two sequences represent corresponding positions if, whenever two 
position bits are equivalent with respect to 60, ... , hn-i, they are also equivalent with respect 
to h. The technical challenge is to do this comparison with a formula of linear (as opposed 
to exponential) size. Finally, it has to be checked that the position bits of the two position 
sequences are consistent with respect to V. 

Let r and r' be row sequences representing two consecutive rows. Let s' be some position 
sequence of r' for which consistency with the corresponding position of the previous row r 
shall be checked. 

We first give an informal description of the formula that checks the vertical constraints. 
Assume that x is associated with the last position bit of the position sequence s' representing 
the j-th position in r' . We first construct a formula ^ that becomes true exactly at the first 
position bit v of the position sequence s representing position j in row r on the path to x. 

To this end, ^ checks that there is a path starting in v, continuing at least to the last node 
of s (from where it might follow copy nodes) and from each non-copy node u on this path, 
there is a path leading to some copy node of a node u' in s' with exactly the same propositions 
60, • • • , hn-i, b. 

This can be expressed as 

n — 1 n—1 

^ = o A /\ ^bi AE[F /\ bi A G(o E[{FroWo A -.Frowe V Frowg A -^FroWo)A 

i=0 i=0 

n-1 

G(^c ^ EFx) A FE(Fa; A G^fpos) A /\{bi^ F(c A bi)) A 6 ^ F(c A b)])] 

i=0 

Here, (fpos is an abbreviation for pos^ V pos^ indicating that a node is a position node. The 
path formula F bi ensures that the current path continues at least to the last position 
bit of the current position from where it might follow copy nodes. The path formula FroWg A 
-iFroWe V FroWe A -^FroWo makes sure that the current path meets exactly two rows. The 

path formula G(-ic EFx) A FE(F3; A G^ippos) tests that the path reaches the same position 
sequence as the node carrying x but no subsequent position sequence. 

The vertical constraints now hold if, whenever x is put to the last position node of some 

position sequence s' with tile type t', if at some node v the formula ^ holds then the tile type t at 
V has to be such that (t, t') G V . This can now be expressed by AG [ Afgr [("^ Ar==o^ ^» ^P^' ) ~* 

ix.@,ootAG(C-> Vct.toey^'*)]]- 

For an instance / of 2EXP-corridor tiling game we present the whole formula ipi of length 

in 0(1/1 |r|) such that </?/ is satisfiable if and only if player E has a winning strategy in the 
game for 7. The formula tpi is composed of the conjunction of x = Ai£i Xi ^^nd — AI=i V'i 
where x describes the basic tree structure that is needed to formulate a strategy and the -0 
guarantees that the model of ipi corresponds to a winning strategy for player E. Each of the 
subformulas Xi, is of length 0(|7||T|). 
We first introduce some abbreviations: 

~ Vpos = POSg V poSg (position node) 
~ frow = roWe V row o {row node) 

— f first = o A A"=o^ ~^bi {first (and original) node in a position sequence) 
~ flast = A2=o^ i^c-^t node in a position sequence, not necessarily original) 
~ ipfuii = G^ippos A F(c A (fiiast) (the path extends exactly until the end of the position 
sequence and continues with copy nodes; in this sense it is a full path) 
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— i'Bpos = (Fpo.Sg A -iFpoSg) V (FpoSg A -^Fpos^) (the path meets two (consecutive) position 
sequences) 

~ 4'2row = (Frowe A -iFroWo) V (FroWo A -FroWe) (the path meets two (consecutive) row 
sequences) 

The first formula helps to describe some properties in a simple way. 

Tl: Each node of the tree is labelled with exactly one of the propositions rowg, rowg, pos^, 
poSg, gjj, a and c. 

Xi = AG[{(prow V ippos V (7tt V o V c)A 

(poSg ~^poSg A -TOWe A -^roWo A -igjt A -lO A -■c)A 
{poSg — > -^pos^ A -iroWe A ^roWo A -igj A -lO A -■c)A 
(roWe — > ~'POS^ A ^poSg A ^roWo A -i^tt A -lO A -■c)A 
{rowo ->p0Sg A ^pos^ A ^roWe A -iqj A A ^c)A 
(gj ^ ->pos^ A -^poSg A -^rowe A -iroWo A A ^c)A 
(o ^ ~'P0Sg A ^poSg A ^rowe A -irowo A -igj A -ic)A 
(c ^ ~^poSg A -'poSg A -iroWe A -^roWo A -igjj A -lo)] 

T2: T/ie rooi induces with the proposition roWg the encoding of the first row and every node 
labelled with roWg or roWo has exactly one child labled with pos^ signalising the encoding of a 
new position. 

X2 = rowe A A.G[iprow EX(po5g A ix.@rootEF(EXx A AXx))] 

T3: Every child of a pos^-or pos^-node is labelled with the initial position bit number encoded 
by bo... bn-i . 

X3 = AG[ippos AX(p first] 

T4: As long as the last position bit of a position is not reached, the next node is labelled with 
the next position bit number. 

In order to keep the length of xa within the bound 0(|/||T|), we make use of additional 
propositions do, ... , dn-i and eo, . . . , e„_i. The idea is that = 1 iff bj = 1, for all j < i and 
that ej = 1 iff bj = 0, for all j < i. 

X4 = X4a A X4b 

n — 1 71—1 

Xia = AG{do A /\[di^ {di-i A &i_i)] A eo A /\ [e^ ^ (ei_i A -^bi-i)]) 

i=l i=l 

X4b = AG [(o A -^(filast ) 

(ix.EX(o A [(e„_i A 6„_i A @^^bn-i) V (^e„_i A (6„_i ^ @^bn-i))]A 

n-2 

f\ [{ei+i A @xrfi+i) V {a AbiA @x-6i) V (^e^ A {bi ^ @x6i))]))] 

i=0 



T5: Each position bit has a child, which represents a copy of it. The nodes of a subtree rooted 
at a copy node are labelled exactly with the same propositions. 



X5 = AG[(o ^ ia;.EX(c A /\{b, <^ @^bi) A b ^ @^b))A 

i=0 
n-1 

(c ^ ix.AG(c A /\{bi^ @^bi) A b ^ @^b))] 



i=0 
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T6: Each position bit has exactly two children. One of them is its copy node and the other one 
is: 

(a) the next position bit if the current node is not already the last position bit or 

(b) a node containing one of the propositions pos^, pos^, rowe, rowg and gj, otherwise. 



X6 = X6a A X65 



X6a = AG[(o A -^ipiast) ^EX(o A lx.@rootEF{EXx A AX(o ^ x)))A 

EX(c A ix.@rootEF(EXa; A AX(c ^ a;)))A 
AX(o V c)] 

X66 = AG[(o A ifia,t) ^EX(c A ix.@rootEF(EXa; A AX(c ^ x)))A 

EX(^c A ia;.@rootEF(EXa; A AX(^c ^ a;)))A 

AX(c V (fpos V (frow V gj) 

T7: With the propositions rowe and rowo the counting of the positions of the current row starts. 
This means thai the next position gets the initial position number. Therefore the proposition b 
is set to false in every position bit of this position. 

X7 = AGi^rou, ^ EXAXE[V'/.H A G^b]] 

Compared to the increasing of a position bit number the increasing of a position number is a 
little bit complicated because in the latter case the bits arc distributed over several nodes. In 
addition, we have to account for the case that player A cannot make a move without violating 
the horizontal or vertical constraints. In this case the game is over and gj-nodes follow only. 
We describe the increasing of a position number in three parts. 

X8 = XSa A X86 A XSc 

T8a: // the last position is reached then a new row is started or the game is over. 

X8a = AG[<fifirst A m^fuH A G6] ^ E[G^V'pos A F(o A (piast A EX{(Prow V ^tt))]] 

T8b: // the last position is not reached and it is the turn of player E then the next position 
sequence definitely has to be encoded and it gets the next position number. 

X8b =AG[(pfirst A E[G^<ppos A F(c A (piast A b)] A E[V'/„h A F-.6] 6] 

Find the highest bit which has to be flipped. 

e =E[V'/„« A F(o A -6 A EX(^c A (o ^ E[,PfuU A Gb])) A 6')] 

Flip the same bit in the next position sequence. 

e' =ix.[9" A E[^/„„ A F(o A ipiast/\ 

n-l 

EX{(ppos A AXEfV'/uH A F(o A /\ (&, <^ @^bi) A (6 ^ @^b)A 

i=0 

EX(^c A (o ^ E[V/„// A G-6])))]))]] 
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// the proposition b is satisfied in a position bit preceding the flipped bits then it is also satisfied 
in the same position bit in the next position sequence. 

0" =@rootEF[v' first A ElG^ippos A Fx A F(c A /\ {bi ^ @^bi))A 

i=0 

n-1 

G(o A^x^ Altjjspos A /\ (6i ^ F(c A bi)) 6 ^ F(c A b)])]] 

T8c: // the last position is not reached and it is the turn of player A then the next position 
sequence has not to be encoded but the game could be over. 

X8c =AG[Lpfirst A E[G^ippos A F(c A ^ia,t A ^b)] {E[iIjjuii A F(o A ipiast A EXgtj)] V 6*)] 

T9: Determining whether a position/row has an even or uneven number. 

X9 = X9a A X95 

X9a =AG[ippos ix.@,ootAG[ippos A EXE[ipfuu A F(o A (piast A EXa;)] 

{pos^ ^ @xPosJ]] 

X9b =AG[iProw ix.@rootAG[iprow A EXE[G^iprow A F(c A ipiast)^ 

F(o A ipiast A EXa;)] — »• {rowe ^ @xrowo)]] 

TIO: Each move of player A is followed by exactly one counter rn,ove of player E. Because the 
even positions correspond to the moves of player E, every position node labeled with pos^ must 
have exactly one child. 

Xio = AG[pos^ EXia:.@rootEF(EXa; A AXx)] 

Now we use the tree structure described above to encode a winning strategy for player E. 
Wl: The game ends after a, finite sequence of moves. 

We express this by postulating that on every rootpath which does not contain any copy nodes 
a gj-node is eventually reached. A gj-node is followed only by gj-nodes. 

V-i =A(G-c ^ Fgj) A AG(gB ^ AGgj) 

W2: To each position belongs exactly one tile type. 

We remember that a tile type t is represented by the proposition pt in all position bits of a 
position sequence. 

i>2 =AG[[o ^\/{ptA /\ ^pt')] A [o A -nifiast ^ A (* ^ ^ 

W3: According to the horizontal constraints, the tile type of every position, except the first one 
on each row, is consistent with the tile type of the precedent position. 

1p3 =AG[ip first 

/\ \Pt' ->■ lx.@rootAG[ipfirst A ^X A E[Fx A ^l)2pos A G^ifirow] ^ V 

t'eT {t,t')eH 
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rowe pos^ 



_2 2"-lpos„ 
• 



o 



2" -2 2"-lpos^ 
1 : 



1 2"-l 
11 1 



pos^ 



rowo poSg 



Fig. 4. A row sequence in the encoding of a winning strategy for player E. The upper nodes are copy 
nodes. 



W4: According to the vertical constraints, for every row, except the first one, it holds that the 
tile type of every position on this row is consistent with the tile type of the same position on 
the precedent row. 

V'4 =AG[ipfirst A \Pt' ^ ^bPm ^ ^ V>iast A ia;.@rootAG[^ ^ \/ pt])]]] 
t'£T (f,t')ev 

C =<P/irst A E[Fa; A G(-.c EFx) A ■ip2row]^ 

E[^/„« A G(o E[G(-.c ^ EFa;) A FE[G^ippos A Fx]A 

n-l 

/\ {bi ^ F(c A 6i)) A 6 ^ F(c A 6)])] 

i=0 

W5: possible moves of player A are represented in the encoding. 

1p5 =AG[ipfirst A E[lpfull A F(0 A iflast A -.6)] ^ 

/\iPt^ A A F(o A ifiast A EX((^po, A EXpt,))]V 



{t,t')eH 



E[lPfullAF{o/\ipiast^ 

ix.@,ootEF(^A 



{t",t')(v 



F(o A <piast A EX(pt.. A EFa;))]))]))] 

W6: All tile types in the first row are from the set F. 

tp6 = AG[if first A ia;.@i.ootEXE[G-.(/5ro^ A Fx] ^ \J pt] 

teF 

W7: Unless the game terminates prematurely (because player A is not able to make a further 
move) all tile types in the last row are from the set L. 

tp7 =AG[o A ifiast A & A EXgj 

ix.@rootEF[(^„^ A EXE[G^iprow A Fx A G{ipfirst V Pt)]]] 

teL 



Finally we obtain the formula (pi as a conjunction of the formulas encoding the properties 
Tl-TlO and W1-W7. It should be noticed that a model for ipi can contain multiple possible 
moves for player E on each position. In this case it suffices to choose one of the suggested 
moves because every rootpath without copy nodes represents a win for E. 

□ 

We can obtain, by simple instantiation, a consequence of this lower complexity bound 
which will be useful later on in proving the exponential succinctness of H^CTL+ in H^CTL. 
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Corollary 9. There are finitely satisfiable H^CTL+ formulas ipn, n € N, of size 0{n) s.t. 
every tree model Tn of has height at least 2^ . 

Proof. Consider the following instances of the 2EXP-tiling game: 7„ := (T, iJ, V, F, L, n) where 
T = {0,1} X {l,f,s}. Tiles are supposed to model bit values in their first component. The 
second component describes whether or not a bit has to be flipped (value f ) or remains the 
same (value s) in the increase of a value encoded in binary through these bits. The value 1 
is used to mark the lowest bit in a number. Remember that in binary increase the lowest bit 
always gets flipped whereas the flipping of any other bit is determined by the value of itself, 
the value of the next lower bit and the question whether or not that bit gets flipped. We 
denote a tile as O-"- for instance rather than (0, 1). 

/„ is constructed in a way that forces both players to put down the number in binary 
coding into the first row of the 2^ -arena and, whenever a row encodes a number i, then 
the players need to place the binary encoding of i + 1 into the next row. Thus, there will be 
(almost) no choices for the players. Player E should win when the highest possible number 
2^^ is placed in a row. 

The starting constraints are F := {0-'^,0^}. Hence, the first row must encode 0. The hori- 
zontal constraints are as follows. 

H := {(o^6^),(l^6*),(o^6^),(l^6*),(o^6^),(l^6^)} 

where b is, in any case, an arbitrary value in {0, 1}. 

Now note that with this H and F, there are only two possible first rows that the players 
can lay down: O-'^O^ ... 0^ or 0^ ... 0^, and it is player E who determines entirely through his 
first choice which of these it is going to be. 

Next we will translate the informal description of binary increase given above into the 
vertical constraints. 

V := {(o^l^),(l^o^),(o^l-),(l^o-),(o^o-),(l^l-)} 

where x is, in any case this time, an arbitrary value in {f , s}. 

Now note that, if a row i is layed down entirely, then the vertical constraints determine 
uniquely the bit value of each tile in the next row. Furthermore, if the first tile in row i is of 
the form then the first tile in row i + 1 is uniquely determined to be (1 — &)■'■, and H as well 
as the bit values in row i + 1 uniquely determine the flip- values of all the bits in row i + 1. 
Furthermore, all lowest bits that are all 1 in row i are in row i + 1, the lowest bit that is 
in row i is 1 in row i + 1, and all other bits in row i + 1 retain their value from row i. Hence, 
if row i encodes the number i in binary (starting with 0), then row i + 1 encodes the number 
i + 1 in binary. 

Thus, if player E chooses tile O-"- as the first one, then both players have no choice but to 
lay down the binary encodings of 0, 1,2,.. .. On the other hand, if player E chooses tile 0^ as 
the first one then all rows will encode the number because the entire arena must be tiled 
with 0^ only. 

Finally, remember that the goal is to construct In in a way that enforces a play filling 2^ 
many rows. This can now easily be achieved by constuction the end constraints in a way that 

player E only wins when the number 2^ — 1 has been placed down in a row. We therefore set 
L := {1^, 1*}. Note that in the successive increase as constructed above, the last row cannot 
contain the tile 1^. □ 

Using the ideas of the transformation mentioned in Tlieorc^ni 2 we can show that the lower 
bound for H^CTL+ is optimal. Even for strictly more expressive logics than H^CTL+ the 
satisfiability problem remains in 3EXPTIME. 

Theorem 10. The satisfiability problem for R^CTL+ is 3EXPTIME-comp/ete. 
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Proof. Let HipECTL+ be the logic HiCTL+ augmented with the operators Y, S, F and G 
and similarly H^PCTL be H^CTL augmented with Y and S. We describe how to transform a 
H-'^PECTL+-formula (p into an satisfiability equivalent H-'^PCTL-formula ip' . The transforma- 
tion algorithm we use yields an exponential blowup in the formula length. As satisfiability of 
RipCTL is in 2EXPTIME [28] we get the desired 3EXPTIME upper bound for satisfia- 
bility of HiPECTL+. 

The transformation algorithm uses the equivalences already used in the proof of Theorem 
2 plus additional equivalences to deal with the extra operators. For convenience of the reader, 
we state all equivalences in the following. 

(1) -iXip = X^p 

(2) -nYip = Y^ip 

(3) -^{(pVip') = [{(p A V)U(^<y5 A -ncp')] V G^tp' 

(4) -^{ipSip') = {ipA ^ip')S{^ip A V) 

OO OD 

(5) -^Gp = F^p 

(6) E(V' V 7p') =E'ipV E^' 

(7) Xip A Xip' = X{ip A 

(8) Yp A Yip' = Yip A p') 

(9) Gp> A Gp' = G{p A p') 

CXD OO OO 

(10) Gp A G(p' = G{p A p') 

(11) Extraction of past operators 

k I m n o 

. . oo, ,CX),(X) 

E[ A Y<Pi A A (V'iSVD A Xx A GC A Gp A A iViVvl) A /\FKi A f\^FXi] 

i=l i=l i=l i=l i=l 

k I 7n n o 

A A "^A a'^A^ 

A Y^, A A (V'iSV-) A E[Xx A G^ A Gp A A ('?iUr?0 A A Fk. A A -FA^] 

i—1 i—1 i=l i=l i—1 

(12) Elimination of the X-operator 

I m n 

oo oo oo 

F[Xp A GV- A Gx A A (^.U^D A A F^i A A -FA,] 

1=1 i=l i=l 



... . C)Oa .oo.oo 

V [ A ^> ^ ^ A ^ A E[G^ A Gx A feUCD A A FACi A A -FA,])] 

/C{l,...,i} ie/ i^I i^I i=l i=l 

(13) Disjunction over all possible sequences in which the formulas ^[ with 1 <i <l can occur 

/ m n 

oo . A ^ A ^ 

E[GV A Gx A A (^iU^i) A A FKi A A -FA,] 

i=l 1=1 i=l 



V [i?[(A6AV')U(C(i)AE[( A eiAV)U(C(2)A 

7rGPerm({l,...,n}) i=l ^T^ttCI) 

m n 

. oo . oo . oo 

E[( A 6AV)U(C(3)A...U(C(„)AE[GV'AGxA Af«,A A-FAi])...)])])]] 

i7^7r(l),7r(2) i=l i=l 
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(14) Elimination of the G-operator 

m n m n 

oo.oo.oo .00. oo 

E[GV; A Gx A /\ A /\ -FAi] = E[VU(E[G(V A x) A /\ Fk^ A /\ -FA^])] 

i=\ 1=1 i=l z=l 

00 

(15) Elimination of -iF 

m n n m 

E[Gi; A /\ FKi A /\ -FAi] = E[V'U(E[G(V' A /\ -A^) A /\ F^i])] 

i=l 1=1 i=l z=l 

00 

(16) Elimination of the F-operator 

m 

. 00 

E[G^A/\FKi] 

i=l 

is satisfiable if and only if 

m m 

/\ AG(-EG(pi A -nKi)) A EG(v A /\ k) 
j=i i=i 

is satisfiable 

Note that in (16) the two formulas are equivalent only with respect to satisfiability. For every 

formula the new formula uses an additional proposition pi which is supposed to hold on 

00 

all paths satisfying Fk^. 

Let be a H^PECTL+-formula. We can assume that does not contain the path quantifier 
A because of Atjj = -lE-n/'. In a bottom up fashion the algorithm replaces each subformula 

E^ of by a H^PCTL-formula. Thus, it only remains to describe how to transform a formula 

00 

Flip where ■0 is a boolean combination of path formulas of the form Yx, X^x') ^Xi xUx'i Fx 

00 

and Gx with x € H^PCTL. The transformation involves the following steps: 

- Using De Morgan's laws the -i-operators are pushed to the leaves of the Boolean combi- 
nation. 

- By applying equivalences (l)-(5) negations can be eliminated from the outermost Boolean 

combination and a formula Et/j is obtained in which -0 is a positive Boolean combination 

00 00 00 

of path formulas of the form Yx, xSx', Xx, Gx,xUx', Fx, "'Fx and Gx 

— By applying equivalences (6)-(10) the formula can be transformed into a formula of the 
form 

E[Ati A ALiIV-^sv-D a Xx a gc a Gp a AtAviVvd a Ati a a°=i -fa,]. 

— Eventually, applying equivalences (11) - (16) a H PCTL-formula if' is obtained which is 
satisfiable if and only if (p is satisfiable. 

It can be shown that the factorial blowup in equivalence (7) is the worst blowup in the trans- 
formation algorithm [6]. As n! = 2^^" we can conclude that \ip'\ is at most exponential 
in |(^|. □ 



5 The Succinctness of HiCTL+ w.r.t. H^CTL 

In Corollary 3 an upper bound of 2'^("'°sn) for the succinctness of HiCTL+ in R^CTL is 
given. In this section we establish the lower bound for the succinctness between the two logics. 
Actually we show that II^CTL+ is exponentially more succinct than H^CTL. The model- 
theoretic approach we use in the proof is inspired by [17]. We first establish a kind of small 
model property for H^CTL. 
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Theorem 11. Every finitely satisfiable CTL-formula (f with \ = n has a model of depth 

Proof. In [28] it was shown that for every H^CTL- formula (p, an equivalent nondeterministic 
Biichi tree automaton with 2^°"'^" states can be constructed. It is easy to see by a pumping 

argument that if accepts some finite tree at all, it accepts one of depth 2^°"'^" . It should be 
noted that the construction in [28] only constructs an automaton that is equivalent to tp with 
respect to satisfiability. However, the only non-equivalent transformation step is from <^ to a 
formula (p' without nested occurrences of the |-operator (Lemma 4.3 in [28]). It is easy to see 
that this step only affects the propositions of models but not their shape let alone depth. □ 

Corollary 9 and Theorem 11 together immediately yield the following. 

Corollary 12. H^CTL+ is exponentially more succinct than H^CTL. 



6 Conclusion 

The aim of this paper is to contribute to the understanding of one-variable hybrid logics on 
trees, one of the extensions of temporal logics with reasonable complexity. We showed that 
II^CTL+ has no additional power over H^CTL but is exponentially more succinct, we settled 
the complexity of H^CTL"*" and showed that hybrid variables do not help in expressing fairness 
(as HCTL+ cannot express EGFp). 

However, we leave a couple of issues for further study, including the following. 

— We conjecture that the succinctness gap between H^CTL+ and H^CTL is actually 6{n)\. 

— We expect the HCTL-game to capture exactly the expressive power of HCTL. Remember 
that here we needed and showed only one part of this equivalence. 

— The complexity of Model Checking for HCTL has to be explored thoroughly, on trees and 
on arbitrary transition systems. In this context, two possible semantics should be explored: 
the one, where variables are bound to nodes of the computation tree and the one which 
binds nodes to states of the transition system (the latter semantics makes the satisfiability 
problem undecidable on arbitrary transition systems [2]) 
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Fig. 5. An encoding of a winning strategy for player E in the case where n = 2. 
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